I have a group policy (among many others) that specifies a screensaver must be enabled and lock the screen after 15 minutes of inactivity. It's a user policy.

The policy works fine but I'm now in a position whereby I want to prevent a particular group of computers (in their own OU) from inheriting this policy, whilst still inheriting other policies and allowing any user to logon.

I'm using AD 2003 and as far as I can tell the best way to do this is with a WMI filter, but I can't seem to find an appropriate example that fits my scenario.

Since this is a user policy, it gets a bit more complicated. Since it's a user policy, it doesn't apply to computers, only to users. Normally, a user policy follows a user around to whatever computer they log into, but you want this policy to not follow the user to those particular computers. Am I right?

If you want to apply a different user policy to users when they log into computers in a different OU, then you need to use Loopback policy mode (Computer\Administrative Templates\System\Group Policy.

It's difficult to explain, but when you apply the loopback mode to a particular computer OU, then any user that logs into a computer on that OU gets the user policies that are applied to that OU. Loopback processing can take two forms: Either replace or merge. In Replace, the User policies in the computer's OU replace all of the User policies that the user would normally have, and merge simply adds those policies to those that the user would normally have. I generally use merge, and simply "Disable" any policies that were enabled in other places that I don't want. If you want to completely replace the user's policies then replace mode is what you want.

As an example of how Microsoft planned for this to be used, you might have a classroom in your company, and when users are in the classroom, they can still log in as themselves, but are not permitted to store files locally. This can be accomplished with a loopback policy. It sounds a bit like what you want to happen.

You need to plan carefully with Loopback mode because it can get a bit confusing.

Create a security group, add the computers you want to manage with this GPO to the group then edit the GOP to apply to the security group only.

what Harry said, which is called GPO filtering. also, you can't "Deny" with filtering so it's best not to recycle Security groups unless they truly fit the scope of your GPO. Use Group Policy Modeling to troubleshoot how it applies.

You can Deny with security filtering on a GPO. Just go to the Delegation tab and click the Advanced button, add your group and deny it the "Apply Group Policy" permission

Create a Security Group (Ex. PolicyName-Deny,) add all of the users to the group, open up the policy to edit it, click the Delegation tab, add the new group, click Advanced.....scroll down to Apply group policy and check Deny.

Since this is a user policy, it gets a bit more complicated. Since it's a user policy, it doesn't apply to computers, only to users. Normally, a user policy follows a user around to whatever computer they log into, but you want this policy to not follow the user to those particular computers. Am I right?

If you want to apply a different user policy to users when they log into computers in a different OU, then you need to use Loopback policy mode (Computer\Administrative Templates\System\Group Policy.

It's difficult to explain, but when you apply the loopback mode to a particular computer OU, then any user that logs into a computer on that OU gets the user policies that are applied to that OU. Loopback processing can take two forms: Either replace or merge. In Replace, the User policies in the computer's OU replace all of the User policies that the user would normally have, and merge simply adds those policies to those that the user would normally have. I generally use merge, and simply "Disable" any policies that were enabled in other places that I don't want. If you want to completely replace the user's policies then replace mode is what you want.

As an example of how Microsoft planned for this to be used, you might have a classroom in your company, and when users are in the classroom, they can still log in as themselves, but are not permitted to store files locally. This can be accomplished with a loopback policy. It sounds a bit like what you want to happen.

You need to plan carefully with Loopback mode because it can get a bit confusing.

This person is a verified professional.

Set another GPO on the OU with the computer you wish to exclude. In this GPO set your screensaver settings for your set of computers. Set the GPO to enforce. Then the settings in this policy will take effect on those computers.

If you link a GPO to an OU with Computer Objects in it, it will not process the User Config portion of the GPO on the user that uses that PC.

This.

There isn't a setting in XP or Win7 that I can find for computer policy that sets timeout. This is something set as a user policy, so it will only apply to users accounts.

Create a computer group, add the computers in the OU to the computer group. What you will want to do is create a new policy for just that OU, enable loopback processing on it, and in the Security Filtering area, only apply it to the computer group, and Authenticated Users. Take note of the above post for notes on the loopback settings.

You might be able to script that and do a check on the computers OU, if the user is logging into a computer in that OU then you could skip the settings, if somewhere outside that OU then apply those settings?

I have done this before but I am no script guru. If you think you are going to go this way then let me know and maybe I can find some of the code ( in my old scripts ) to help out.

I creates a new OU and moved a test workstation to this OU. I applied the loopback GPO in merge setting, and a lock screen policy with the settings disabled which are enabled for the standard user policy which is going around. I enforced the links and have authenticated users in security filtering for both GPO's, but sadly it is still locking itself after the set time period.

Any suggestions?

Regards,

Craig

0

This topic has been locked by an administrator and is no longer open for commenting.